Real Black Hats Hack Security Experts on Eve of Conference

Share

Real Black Hats Hack Security Experts on Eve of Conference

LAS VEGAS – Two noted security professionals were targeted this week by hackers who broke into their web pages, stole personal data and posted it online on the eve of the Black Hat security conference.

Security researcher Dan Kaminsky and former hacker Kevin Mitnick were targeted because of their high profiles, and because the intruders consider the two notables to be posers who hype themselves and do little to increase security, according to a note the hackers posted in a file left on Kaminsky's site.

The files taken from Kaminsky's server included private e-mails between Kaminisky and other security researchers, highly personal chat logs, and a list of files he has purportedly downloaded that pertain to dating and other topics.

The hacks also targeted other security professionals, and were apparently timed to coincide with the Black Hat and DefCon security conference in Las Vegas this week, where Kaminsky is unveiling new research on digital certificates and hash collisions.

Kaminsky made headlines last year for his Black Hat talk about vulnerabilities in the Domain Name System. He was accused by many in the security community of hyping the issue after he teased the topic in a press conference call a month before his talk without revealing details of the vulnerability, leading everyone to speculate on the nature of it. He was presented with a Pwnie award for Most Overhyped Bug and for "owning" the media.

The hackers criticized Mitnick and Kaminsky for using insecure blogging and hosting services to publish their sites, that allowed the hackers to gain easy access to their data.

We hacked Dan's assets first through finding bugs and writing 0day, and then through abusing him giving away passwords and his silly password scheme. Check out just some of his passes: fuck.hackers, 0hn0z (root account on his mail box), fuck.omg, fuck.vps, ohhai

Five character root password? Niiiiiiice.

From .mysql_history:

SET PASSWORD FOR 'root'@'localhost' = PASSWORD('fuck.mysql');

See the pattern?

Tuesday night Kaminsky removed the hackers' note from his site and replaced it with a message reading, "Well played, guys. Could have done without the personal info dump but otherwise lets grab a beer at [DefCon]." His website is currently inaccessible. In messages posted to his Twitter page he wrote, "Messy, but heh. Walk onto a battlefield, you might get shot."

Mitnick was once deemed by the government “the most wanted computer criminal in United States history” and was charged with 25 counts of wire and computer fraud and causing nearly $300 million in damages. He was jailed beginning in February 1995 for four and a half years without being charged and eventually pleaded guilty to 7 counts and was sentenced to 46 months in 1999, with some credit for time already served. He was released in 2000.

Mitnick has made a successful living on the lecture circuit and will soon publish a book about his experience, but he has often been accused by some in the hacking community of having few security skills and living off a dated reputation.

"There are people who just live press release by press release," the hackers wrote in their note. "And on top of it all, somehow you STILL have not got rid of Kevin Mitnick. The industry cares about virtualization one year and iPhones the next, every year forgetting the lessons it should have picked up in the last.

"If you are just someone looking to pay a fair price to not get owned, you find out quickly that none of these people exist to help you. Very few people in this industry have their income model based around actually making you more secure. At best, some of them have it based around convincing you that you are better off."